usd-2018-0032 | Riverbed SteelCentral AppResponse/9.6
Advisory ID: usd-2018-0032
CVE Number: N/A
Affected Product: SteelCentral AppResponse
Affected Version: 9.6
Vulnerability Type: Reflected Cross-Site-Scripting Vulnerability
Security Risk: Low
Vendor URL: https://support.riverbed.com/content/support/software/steelcentral-npm/appresponse.html
Vendor Status: Unknown
A reflected XSS attack (or non-persistent attack) occurs when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.
Proof of Concept
Make sure to encode the user supplied input.
- 2018-10-08 First contact request via email@example.com
- 2018-10-15 Second contact request via firstname.lastname@example.org
- 2018-10-17 Riverbed provided their PGP key
- 2018-10-19 Riverbed received the advisory
- 2018-10-23 Riverbed states to review the provided information
- 2018-12-07 Sent disclosure reminder
- 2018-12-07 Security advisory released
These security vulnerabilities were found by Christoph Cierpka and Lars Neumann of usd AG.